Join the discussion on LinkedIn:
#digitalomnibus | Rie Aleksandra Walle | 24 comments
The bad and ugly in #DigitalOmnibus have already been extensively covered here by others, so I’ll mention a few (potentially*) good things - at least practically: ⏰ Only high-risk breaches must be reported to the DPA – within *96* hours – and there’ll be a single-entry point for incident reporting for the GDPR, DORA, eIDAS and CER and NIS2 Directives. 🔎 Data subjects should be as specific as possible when requesting access and 𝘰𝘷𝘦𝘳𝘭𝘺 𝘣𝘳𝘰𝘢𝘥 𝘢𝘯𝘥 𝘶𝘯𝘥𝘪𝘧𝘧𝘦𝘳𝘦𝘯𝘵𝘪𝘢𝘵𝘦𝘥 𝘳𝘦𝘲𝘶𝘦𝘴𝘵𝘴 𝘴𝘩𝘰𝘶𝘭𝘥 𝘣𝘦 𝘳𝘦𝘨𝘢𝘳𝘥𝘦𝘥 𝘢𝘴 𝘦𝘹𝘤𝘦𝘴𝘴𝘪𝘷𝘦 – which should be easier for the controller to demonstrate. 📝 There’ll be one EEA-wide list of when a DPIA is required and the list of when they’re not will also become mandatory. * I write “potentially” because I have to ponder the implications more. These changes will definitely lead to easier compliance efforts but that must, of course, be balanced against fundamental human rights. I’m not as convinced as others that these (particular) changes are bad or ugly, though. A key question is: by changing certain aspects, 𝘸𝘩𝘢𝘵 𝘸𝘪𝘭𝘭 𝘸𝘦 𝘮𝘪𝘴𝘴? For example, the breach threshold will significantly reduce compliance burdens – and the number (and efforts!) of notifications to the DPA – but how could this impact personal data protection more broadly? 🤔Will it? I’m not sure, but I’ve got numbers demonstrating why it’ll significantly ease the burdens, for controllers and DPAs alike! The same with access requests. I’ve dealt with my share of excessive requests, but the threshold to deem them as such is set very high by the EDPB. Change is needed and welcome here! But again I’m conscious we have to look at the bigger picture. PS: Don’t forget none of this is reality yet! 💬 What’s your view on these particular points? | 24 comments on LinkedIn
Rie Aleksandra Walle
Recent news
The Commission has launched an eight-week public consultation. They'll summarise all responses and present them to the European Parliament and Council to inform the legislative debate:
European Commission - Have your say
European Commission - Have your say
The period's extended every day until the proposal is available in all EU languages
Digital Omnibus: First Analysis of Select GDPR and ePrivacy Proposals by the Commission
Updated analysis from noyb
Digital Omnibus - First Legal Analysis
The noyb team did a first anaylsis of the Digital Omnibus - focusing on the problems of the proposal in practice and for users and companies.
noyb’s shared a thorough first analysis video
121 civil society organisations, academics, companies and others raised immediate concerns about the proposal, including noyb. Also see Max Schrems and noyb comments on LinkedIn 8 Nov and 10 Nov, and their official feedback to the proposal 14 Oct.
The Digital Omnibus
On 19 Nov 2025, the European Commission proposed further changes to the GDPR, the AI Act and several other Regulations, submitting them to the European Parliament and Council for adoption.
Simpler EU digital rules and new digital wallets to save billions for businesses and boost innovation
Europe\‘s businesses, from factories to start-ups, will spend less time on administrative work and compliance and more time innovating and scaling-up, thanks to the European Commission\’s new digital package.
Digital Omnibus Regulation Proposal
The Digital Omnibus proposal includes a set of technical amendments to a large corpus of digital legislation, selected to bring immediate relief to businesses, public administrations, and citizens alike, to stimulate competitiveness.
Digital Omnibus on AI Regulation Proposal
The Commission is proposing targeted simplification measures to ensure timely, smooth, and proportionate implementation of certain of the AI Act’s provisions.
The AI one
Watch the press conference recording.
💡
Articles 4, 30, 40 and 42 changes proposed 21 May are part of the same overall initiative, just presented in the 'Omnibus IV' package.
Key changes
PS: Remember this is still only a proposal and could remain so for a while, depending on pushbacks and what the Parliament and Coucil decide.
Aside from the introductory text, the proposed key changes for the GDPR and ePD are on pages 19-21, 33-43, (especially) 78-85, and 89.
These will also apply to the EUDPR (Regulation 2018/1725, the 'GDPR' for EU institutions and bodies).
Definitions
The busy privacy and data protection pro’s easy, swift and neatly structured access to the full GDPR legal text.
Article 4
- Article 4 is amended as follows:
- in point 1, the following sentences are added:
- Information relating to a natural person is not necessarily personal data for every other person or entity, merely because another entity can identify that natural person. Information shall not be personal for a given entity where that entity cannot identify the natural person to whom the information relates, taking into account the means reasonably likely to be used by that entity. Such information does not become personal for that entity merely because a potential subsequent recipient has means reasonably likely to be used to identify the natural person to whom the information relates.
- the following points are added:
- (32) ‘terminal equipment’ means terminal equipment as set out in Article 1(1) of Directive 2008/63/EC;
- (33) for ‘electronic communications networks’ the definition of Article 2(1) of Directive (EU) 2018/1972 shall apply;
- (34) ‘web browser’ means web browser as defined in Article 2(11) of Regulation (EU) 2022/1925;
- (35) ‘media service’ means a media service as defined in Article 2(1) of Regulation (EU) 2024/1083;
- (36) ‘media service provider’ means a media service provider as defined in Article 2(2) of Regulation (EU) 2024/1083;’
- (37) ‘online interface’ means an online interface as defined in Article 3(m) of Regulation (EU) 2022/2065.’
- (38) “scientific research” means any research which can also support innovation, such as technological development and demonstration. These actions shall contribute to existing scientific knowledge or apply existing knowledge in novel ways, be carried out with the aim of contributing to the growth of society´s general knowledge and wellbeing and adhere to ethical standards in the relevant research area. This does not exclude that the research may also aim to further a commercial interest.
- in point 1, the following sentences are added:
Principles relating to processing of personal data
The busy privacy and data protection pro’s easy, swift and neatly structured access to the full GDPR legal text.
Article 5
- Article 5 (1)(b) is replaced by the following:
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), be considered to be compatible with the initial purposes, independent of the conditions of Article 6(4) of this Regulation, (‘purpose limitation’);
Processing of special categories of personal data
The busy privacy and data protection pro’s easy, swift and neatly structured access to the full GDPR legal text.
Article 9
- Article 9 is amended as follows:
- in paragraph 2, the following points are added:
- (k) processing in the context of the development and operation of an AI system as defined in Article 3, point (1), of Regulation (EU) 2024/1689 or an AI model, subject to the conditions referred to in paragraph 5.
- (l) processing of biometric data is necessary for the purpose of confirming the identity of a data subject (verification), where the biometric data or the means needed for the verification is under the sole control of the data subject.
- the following paragraph is added:
- 5. For processing referred to in point (k) of paragraph 2, appropriate organisational and technical measures shall be implemented to avoid the collection and otherwise processing of special categories of personal data. Where, despite the implementation of such measures, the controller identifies special categories of personal data in the datasets used for training, testing or validation or in the AI system or AI model, the controller shall remove such data. If removal of those data requires disproportionate effort, the controller shall in any event effectively protect without undue delay such data from being used to produce outputs, from being disclosed or otherwise made available to third parties.
- in paragraph 2, the following points are added:
Transparent information, communication and modalities for the exercise of the rights of the data subject
The busy privacy and data protection pro’s easy, swift and neatly structured access to the full GDPR legal text.
Article 12
- In Article 12, paragraph 5 is replaced by the following:
- 5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character or also, for requests under Article 15 because the data subject abuses the rights conferred by this regulation for purposes other than the protection of their data, the controller may either:
- (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
- (b) refuse to act on the request.
- The controller shall bear the burden of demonstrating that the request is manifestly unfounded or that there are reasonable grounds to believe that it is excessive.
- 5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character or also, for requests under Article 15 because the data subject abuses the rights conferred by this regulation for purposes other than the protection of their data, the controller may either:
Information to be provided where personal data are collected from the data subject
The busy privacy and data protection pro’s easy, swift and neatly structured access to the full GDPR legal text.
Article 13
- In Article 13:
- paragraph 4 is replaced by the following:
- 4. Paragraphs 1, 2 and 3 shall not apply where the personal data have been collected in the context of a clear and circumscribed relationship between data subjects and a controller exercising an activity that is not data-intensive and there are reasonable grounds to assume that the data subject already has the information referred to in points (a) and (c) of paragraph 1, unless the controller transmits the data to other recipients or categories of recipients, transfers the data to a third country, carries out automated decision-making, including profiling, referred to in Article 22(1), or the processing is likely to result in a high risk to the rights and freedoms of data subjects within the meaning of Article 35.
- paragraph 5 is added:
- 5. When the processing takes place for scientific research purposes and the provision of information referred to under paragraphs 1, 2 and 3 proves impossible or would involve a disproportionate effort subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing, the controller does not need to provide the information referred to under paragraphs 1, 2 and 3. In such cases the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available.
- paragraph 4 is replaced by the following:
Automated individual decision-making, including profiling
The busy privacy and data protection pro’s easy, swift and neatly structured access to the full GDPR legal text.
Article 22
- In Article 22, paragraphs 1 and 2 are replaced by the following:
- 1. A decision which produces legal effects for a data subject or similarly significantly affects him or her may be based solely on automated processing, including profiling, only where that decision:
- (a) is necessary for entering into, or performance of, a contract between the data subject and a data controller regardless of whether the decision could be taken otherwise than by solely automated means;
- (b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
- (c) is based on the data subject's explicit consent.
- 1. A decision which produces legal effects for a data subject or similarly significantly affects him or her may be based solely on automated processing, including profiling, only where that decision:
Notification of a personal data breach to the supervisory authority
The busy privacy and data protection pro’s easy, swift and neatly structured access to the full GDPR legal text.
Article 33
- Article 33 is amended as follows:
- paragraph 1 is replaced by the following:
- 1. In the case of a personal data breach that is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall without undue delay and, where feasible, not later than 96 hours after having become aware of it, notify the personal data breach via the single-entry point established pursuant to Article 23a of Directive (EU) 2022/2555 to the supervisory authority competent in accordance with Article 55 and Article 56. Where the notification to the supervisory authority is not made within 96 hours, it shall be accompanied by reasons for the delay.
- the following paragraph is added:
- 1a. Until the establishment of the single-entry point pursuant to Article 23a of Directive (EU) 2022/2555, controllers shall continue to notify personal data breaches directly to the competent supervisory authority in accordance with Article 55 and Article 56.
- the following paragraphs are added:
- 6. The Board shall prepare and transmit to the Commission a proposal for a common template for notifying a personal data breach to the competent supervisory authority referred to in paragraph 1 as well as for a list of the circumstances in which a personal data breach is likely to result in a high risk to the rights and freedoms of a natural person. The proposals shall be submitted to the Commission within [OP date = nine months of the entry into application of this Regulation]. The Commission after due consideration reviews it, as necessary, and is empowered to adopt it by way of an implementing act in accordance with the examination procedure set out in Article 93(2).
- 7. The template and the list referred to in paragraph 6 shall be reviewed at least every three years and updated where necessary. The Board shall submit its assessment and possible proposals for updates to the Commission in due time. The Commission after due consideration of the proposals reviews them and is empowered to adopt any updates following the procedure in paragraph 6.
- paragraph 1 is replaced by the following:
Data protection impact assessment
The busy privacy and data protection pro’s easy, swift and neatly structured access to the full GDPR legal text.
Article 35
- Article 35 is amended as follows:
- paragraphs 4, 5 and 6 are replaced by the following:
- 4. The Board shall prepare and transmit to the Commission a proposal for a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1.
- 5. The Board shall prepare and transmit to the Commission a proposal for a list of the kind of processing operations for which no data protection impact assessment is required.
- 6. The Board shall prepare and transmit to the Commission a proposal for a common template and a common methodology for conducting data protection impact assessments.’
- the following paragraphs are inserted:
- 6a. The proposals for the lists referred to in paragraphs 4 and 5 and for the template and methodology referred to in paragraph 6 shall be submitted to the Commission within [OP date = 9 months of the entry into application of this Regulation]. The Commission after due consideration reviews them, as necessary, and is empowered to adopt them by way of an implementing act in accordance with the examination procedure set out in Article 93(2).
- 6b. The lists and the template and methodology referred to in paragraph 6ashall be reviewed at least every three years and updated where necessary. The Board shall submit its assessment and possible proposals for updates to the Commission in due time. The Commission after due consideration of the proposals reviews them and is empowered to adopt any updates following the procedure in paragraph 6a.
- 6c. Lists of the kind of processing operations which are subject to the requirement for a data protection impact assessment and of the kind of processing operations for which no data protection impact assessment is required established and made public by supervisory authorities remain valid until the Commission adopts the implementing act referred to in paragraph 6a.
- paragraphs 4, 5 and 6 are replaced by the following:
Tasks
The busy privacy and data protection pro’s easy, swift and neatly structured access to the full GDPR legal text.
Article 57
- Article 57(1)(k) is deleted: establish and maintain a list in relation to the requirement for data protection impact assessment pursuant to Article 35(4)
Opinion of the Board
The busy privacy and data protection pro’s easy, swift and neatly structured access to the full GDPR legal text.
Article 64
- Article 64(1)(a) is deleted: aims to adopt a list of the processing operations subject to the requirement for a data protection impact assessment pursuant to Article 35(4)
Tasks of the Board
The busy privacy and data protection pro’s easy, swift and neatly structured access to the full GDPR legal text.
Article 70
- Article 70(1)(h) is deleted: issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph as to the circumstances in which a personal data breach is likely to result in a high risk to the rights and freedoms of the natural persons referred to in Article 34(1)
- in Article 70(1), the following points are inserted:
- (ha) prepare and transmit to the Commission a proposal for a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment and for which no data protection impact assessment is required, pursuant to Article 35.
- (hb) prepare and transmit to the Commission a proposal for a common template and a common methodology for conducting data protection impact assessments, pursuant to Article 35.
- (hc) prepare and transmit to the Commission a proposal for a common template for notifying a personal data breach to the competent supervisory authority as well as for a list of the circumstances in which a personal data breach is likely to result in a high risk to the rights and freedoms of a natural person pursuant to Article 33.
Additions
- Article 41a (no title – concerns Commission implementing acts)
- After Article 88, the following articles are added:
- Article 88a: Processing of personal data in the terminal equipment of natural persons
- Article 88b: Automated and machine-readable indications of data subject’s choices with respect to processing of personal data in the terminal equipment of natural persons
- Article 88c: Processing in the context of the development and operation of AI